Can your car get hacked?

Your car's computers know much more about you than you may realize. They’re constantly tracking your driving behavior, speed, seat belt use, and more.

Because your car is networked, outside infiltration of your private data represents a serious threat to consumers. But misuse or inappropriate lawful use of that data is also a concern. In 2011, GM’s OnStar division came under fire when it said it had the right to share location data with third parties. Likewise, data from apps used in your car’s infotainment system could be sold to advertisers.

At a recent conference, Bryan Biniak, Microsoft’s vice president of developer experiences, said those kinds of intuitive corporate interactions with drivers “based upon who I am and what I like” could be a good thing. What does that mean for you? In the future you could see targeted spam appear on your dash screen—perhaps a coupon for an oil change or a suggestion that you stop for a nearby cappuccino.

Today, some insurance companies offer reduced rates to drivers who install a driving-behavior tracker in their car—but could raise the rates if they speed. Already, some lenders install devices that can remotely halt a car purchased by a buyer who misses a payment.

But your data can also be hacked. Any time someone connects to your car’s onboard diagnostics system (OBD-II) port, your vehicle’s secrets become accessible. And black hat computer hackers are claiming they can remotely invade your car’s data systems without ever gaining access to the inside of your vehicle.

Last year, 19 automakers agreed to strengthen their vehicles’ systems against hacking and sharply limit the external sharing of electronic data that drivers voluntarily share with them.

The takeaway: Driving privacy is under threat, if the auto industry and lawmakers don’t take action, says Thilo Koslowski, automotive practice leader at technology research firm Gartner.

What’s more, some of those onboard infotainment computers have interactions with your car’s driving controls. Consider the OnStar navigation and emergency-assist system: It tracks your car’s location and history, but it also can disable your car if it’s stolen.

Though being able to remotely stop a vehi­cle with a drunk driver behind the wheel or a kidnapped child inside can be a good thing, the wider implications are disturbing. Could someone with bad intentions remotely hack into your car’s controls to lock your brakes in traffic or send you careening off a bridge?

A February 2015 “60 Minutes” television segment raised that specter—and demonstrated how it could be done, complete with a video of occupants sitting helplessly as someone with a laptop took remote control of their car’s horn, windshield wipers, and even its brakes.

The U.S. government’s Defense Advanced Research Projects Agency (DARPA) and the National Highway Traffic Safety Administration have been working on identifying ways to protect consumers from car hacking for years. Amateur hackers are also proving that the “attack vectors” of cars need to be made more secure.

For its “60 Minutes” hack, DARPA needed to know the secure phone number that allows the vehicle to interact with the automaker’s cellular network. But it did not need the vehicle identification number of the car or any other specific data.

Dan Kaufman, director of DARPA’s Information Innovation Office, admits his team “knew the car quite well” in running its hack. Such an attack “would not work on just any random car,” Kaufman wrote in an e-mail to Consumer Reports, “although a similar technique would work on many modern cars.”

True, the scary scenario is not easy to achieve, but experts expect it to get easier. The worry among computer scientists is—beyond hacks demonstrated in laboratory settings—that a 14-year-old could eventually perform the hack on his laptop.

At Consumer Reports, we have long been concerned about automotive privacy.

“As cars include more technological and computer advancements, concerns about the privacy of consumer data become even more pressing,” says Ellen Bloom, senior director of federal policy for Consumers Union, the policy and advocacy arm of Consumer Reports.

Sen. Ed Markey, D-Mass., recently authored a report that studied the security systems of 16 automakers—and found them to be lacking. His office plans to introduce legislation to toughen vehicle security and privacy standards. Consumers Union will work with Markey, NHTSA, and the Federal Trade Commission to ensure that your data is better protected.

If you want greater privacy protection, contact your representative or senator and tell the legislator that you support Markey’s efforts. Keep track of developments on this at ConsumersUnion.org.